The next evolution in Office365 phishing campaigns

 

It comes as no surprise that Office365 is one of the most targeted services for phishing attacks worldwide. Credentials for enterprise Microsoft accounts are some of the most valuable for threat actors who can leverage them for a number of activities with this initial access vector. This ranges from stealing emails, business email compromise (BEC), to internal spear-phishing and malware attacks.

The latest wave of Office365 credential harvesting attacks involve multiple steps. This includes the phishing email itself, a malicious URL, a legitimate document hosting service (such as *.clickfunnels[.]com or *.larksuite[.]com), and the fake login page. These kits are also known as a "LogoKit" for being able to dynamically alter the page's appearance based on the domain in the target's email address. 

Demo of how this works: https://app.any.run/tasks/e59d36ba-5a2c-49e3-8b59-8044bf593689/

(Fig. 1 - Current phishing chain leveraged in this campaign from January to February 2021)

This campaign typically leverages free domains using multiple gTLDs - namely .tk, .gq, .ml, .ga, and .cf - and hosts them on NameCheap servers (AS22612).

(Fig. 2 - Analysis of the infrastructure behind the high number of Office365 landing pages)

Fortunately, the ZIP archive of the phishing kit used in this campaign was located, sitting in an open directory. Analysis of the PHP and JavaScript behind this phishing kit revealed how the data is being collected and exfiltrated:

(Fig. 3 - Analysis of the phishing kit's code)

A number of details were left in the phishing kit which enabled me to pivot, using OSINT techniques, to the threat actor's profiles online. This is likely either the threat actor who is stealing the credentials for illegal gains or the individual who coded the phishing kit. 

(Fig. 4 - The OSINT trail I used to connect to phishing kit to the threat actor)

From investigating open sources, other security researchers have run into this threat actor in the past. They have been actively running phishing campaigns for over a year. (1, 2, 3

Threat Intelligence:

Next, it is possible to track this campaign via open source tools. The phisher uses a number of TTPs which we can use to monitor for signs of this campaign. Although, by disclosing the threat actor's techniques it may force them to change their tactics but, by doing so, it incurrs costs to the adversary.

The URLscan assets we can use to track this campaign:

Legitimate services leveraged to host malicious documents:
  • *.larksuite[.]com
  • *.clickfunnels[.]com
Indicators of Compromise (IOCs):
Call to action:

These types of phishing campaigns are one of the most persistant threats on the current threat landscape. They are unlikely to dissappear anytime soon. Hosting providers and registrars continue to permit cybercriminals to create hundreds of domains that are only for one thing - stealing credentials. Until hosting providers clear up their act, these credential phishing campaigns will continue.

In the meantime, organisations are highly recommended to implement multi-factor authentication (MFA) to prevent threat actors from logging in with stolen credentials. Further, organisations should monitor for successful login attempts from unrecognised IP or MAC addresses, as well as enforcing a comprehensive password policy - which includes changing passwords in a given time period (60 days is the recommended amount).

I would also like to give thanks to @n14 from @CuratedIntel who shared the initial landing page which led me down this rabbit hole. Collaborating on security research and sharing actionable intelligence is key to success amongst us CTI analysts.

My previous blogs on phishing are as follows:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks